Recently leaked computer vulnerabilities Meltdown and Spectre offer yet another reminder of how hard the digital age makes it to keep private information – even cryptocurrency private keys – safe.
Unveiled Wednesday, the widespread hardware vulnerabilities simultaneously impact Intel, ARM and AMD computer chips, which power the vast majority of the world’s computers, mobile devices and servers, making it possible to steal private data such as passwords, financial information or just about anything stored on any device that uses one of these chips.
Where this is important for cryptocurrency in particular is, hackers can potentially use the specific attack vector to pinch the private keys that allow users to control their bitcoins on the blockchain.
Popular Mechanics called it a “horrific” bug, contending it’s “hard to zero in on the most troubling part of this flaw,” while an informational page authored by security researchers remarks that you’re “most certainly” impacted by the bug.
And though there’s no evidence that any passwords have been compromised, experts say it wouldn’t be surprising if hackers or the NSA have been exploiting the attack.
If you’re already following best practices for cryptocurrency storage, then you’re probably fine. But if not, or if you’re a newer user, experts say it’s important to keep private keys on a safe device.
“Better safe than sorry,” said Bitcoin Core developer Bryan Bishop told CoinDesk, adding:
An attacker who has knowledge of a sufficiently powerful vulnerability can theoretically force your CPU to reveal secret data such as private keys used to control your bitcoin.”
It’s important to note that the advice to store private keys on a secure device is nothing new. (Crypto developers have long warned against storing private keys on laptops or other devices that interact with the internet.)
But the reasons why might not be obvious for newer users. Even though bitcoin and other cryptocurrencies are secure protocols, they must interact with the open internet and regular computers. In short, storing private keys so close to the internet can potentially expose users to hacks and theft.
And the new CPU vulnerabilities make the situation even worse, as a chain of actions can lead to error and compromise.
“If the protected memory problem is real, then a browser plugin or even a website may access your private keys,” said Bitcoin Core contributor Jonas Schnelli.
The full details of the issue aren’t yet public, so it’s unclear what the precise attack vectors are. Still, others suggested a similar impact could be likely.
“To get hit by this attack, all you would have to do is click a link by accident and maybe you end up on a website that serves a bad ad with the malware code that steals your data,” Bishop added.
And while these scenarios might sound far-fetched, most of today’s malware pry on similar vulnerabilities that have yet to be patched. It’s just impossible to know who and when they’ll actually hit.
Operating system fixes are now available that users should use to patch up their Windows, Mac, and Linux devices. But, for cryptocurrency users, the better option is not to store private keys on an internet-connected device at all, a recommendation common far before this particular vulnerability.
One option is to store private keys on a so-called “hardware wallet,” such as Ledger or Trezor. The small devices might not be quite as easy to use, but they are more secure in that their not connected to the internet.
Pavol Rusnak, CTO of SatoshiLabs, the company behind Trezor, went as far as to argue “Using a [hardware] wallet is now more important than ever!” While ethereum developer Lefteris Karapetsas quipped, “I bet Spectre and Meltdown is the best thing that could have happened for cryptocurrency cold wallet businesses.”
Exchange treasure troves
Beyond solo consumer devices, a much bigger, more worrying target is cryptocurrency exchanges and businesses, which store cryptocurrency private keys for millions of users at once.
Some cryptocurrency exchanges use cloud hosting services such as Amazon Web Services and Google Cloud to run their websites, rather than spin up their own servers.
While these platforms make websites easier to manage, they are particularly vulnerable to these attacks. A hacker could theoretically spin up a server using the same hardware as a cryptocurrency startup running operations on such a cloud platform and suddenly have access to all of their data.
In the crypto world, a hacker could hypothetically use this attack vector to steal private keys.
On the one hand, many of the most popular cloud platforms quickly unrolled fixes. On the other hand, researchers worry that deep-rooted vulnerabilities could spawn unfixed variants, with possible lingering effects to come.